Secure REST service inside Modx

camicase82 · August 5, 2020, 4:59pm

Hi there, I have a fairly simple requirement to expose a rest service, such service basically receives two numeric parameters and runs some internal logic.

I already checked this https://docs.modx.com/current/en/extending-modx/developing-restful-api and https://forums.modx.com/thread/102949/rest-api-in-modx-to-build-an-android-app and the creation of the service itself seem easy, but I’m stuck on the authentication as the only option I understand is available out of the box is oAuth, but it’ll be an overkill for what we are doing, any ideas on how to implement a simple token authentication besides asking for the param and validating inside the PHP code and adding some additional security like IP filtering?

I’ll should also point out that the service code must be able to query users/extended properties and access protected sections and data of the system, but auth should be as simple as possible.

mayanktaker · August 6, 2020, 8:04pm

This is the solution but I still dont know how. I also want simple authentication for rest api next.js but currently I dont know how to use this extra so I ended up with wordpress rest api.
You can try this if you have knowledge.

Also revert back if you find success.
A nice simple working tutorial is needed to get started.

camicase82 · August 6, 2020, 8:16pm

Thanks a lot, will take a look

mayanktaker · August 10, 2020, 7:22pm

Please let me know your progress because I also want to use this rest api authentication on my ionic mobile app.

halftrainedharry · August 11, 2020, 1:43pm

When you install the Extra ‘modJWT’ it creates a new resource ‘ModJWT’ (+ 3 child resources) that demonstrate the use of the extra.

Basically: Use the snippet [[!jwtEncode]] to create a token, the snippet [[!jwtDecode]] to verify it and the system setting modjwt.secretkey to set the password.

To use the extra in the REST API you would have to override the function verifyAuthentication(). For example if you attach the token to a GET-request like https://www.mydomain.com/rest/myendpoint?&token=eyJ0eXAi... the code would look something like this:

public function verifyAuthentication() {

	//Run the snippet: jwtDecode
	$output = $this->modx->runSnippet('jwtDecode',array('method'=>'GET','httpQuery'=>'token'));

	//Turn the JSON Object to Array
	$outputarray = json_decode($output, true);

	//Evaluate
	if ($outputarray['_valid'] !== 1) {
		return false;
	}

	//maybe do some additional checks here
	
	return true;
}

camicase82 · August 13, 2020, 1:36pm

Hi there, at the end for me the sample was more than enough for my needs as I just needed to control one endpoint and just two paramaters/1 method, so used the provided jwtDecodeRunSnippet as base and got my 10 lines of code in there

mayanktaker · August 19, 2020, 11:19pm

Can you write a tutorial for a blog which use collections extra? And viewers only view when they are logged in via rest api …

camicase82 · August 19, 2020, 11:36pm

Hi there, I can’t help, at the end I basically extended the existing jwtDecodeRunSnippet and added the system calls I needed when someone makes a post request with the rigth parameters to my resource, so no much no explain there, I just added my logic after the ‘if ($outputarray[’_valid’] === 1) { ’ that already exists in the sample, and that was pretty much it as my requirement wasn’t actually building an API but just exposing and endpoint secured by a JWT token and tunning some simple logic on my modx installation